Full Report
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of hackers exploiting an arbitrary code execution flaw in the Git distributed version control system. [...]
Analysis Summary
# Vulnerability: Git Arbitrary Code Execution via Submodule Configuration
## CVE Details
- CVE ID: CVE-2025-48384
- CVSS Score: Not explicitly specified, but described as "high-severity"
- CWE: Handling of carriage return characters leading to path resolution issues.
## Affected Systems
- Products: Git distributed version control system
- Versions: All versions prior to 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
- Configurations: Users cloning repositories containing specially crafted submodules ending in `\r`.
## Vulnerability Description
The vulnerability exists due to Git's mishandling of carriage return (`\r`) characters within configuration files, specifically relating to submodules. When a user clones a repository containing a submodule whose path definition ends with `\r`, an incorrect submodule path resolution occurs. This can lead to an attacker successfully setting up a crafted symlink with a malicious hook, resulting in arbitrary code execution on the victim's machine upon cloning the repository.
## Exploitation
- Status: Actively exploited in the wild (Added to CISA's KEV catalog)
- Complexity: Implied to be low enough to be actively exploited.
- Attack Vector: Network (Requires cloning a malicious repository)
## Impact
- Confidentiality: High (Assumed, due to arbitrary code execution)
- Integrity: High (Assumed, due to arbitrary code execution)
- Availability: High (Assumed, due to arbitrary code execution)
## Remediation
### Patches
- Git version 2.43.7
- Git version 2.44.4
- Git version 2.45.4
- Git version 2.46.4
- Git version 2.47.3
- Git version 2.48.2
- Git version 2.49.1
- Git version 2.50.1
### Workarounds
1. Avoid recursive submodule clones from untrusted sources.
2. Disable Git hooks globally using the configuration: `core.hooksPath` set to an empty or inaccessible location.
3. Enforce that only audited submodules are used.
## Detection
- Indicators of compromise are not detailed, but detection should focus on unusual process execution following Git clone/fetch operations involving submodules.
- Detection methods should involve monitoring for file operations related to symlink creation or hook execution initiated by Git processes interacting with untrusted repositories.
## References
- Vendor Advisory (GitHub): https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9
- CISA KEV Catalog Update: http://www.cisa.gov/news-events/alerts/2025/08/25/cisa-adds-three-known-exploited-vulnerabilities-catalog